[MDEV-14443] DENY clause for access control a.k.a. "negative grants" - Jira

Hanzhi (Inactive) created issue - 2017-11-20 08:24

Sergei Golubchik made changes - 2017-11-20 10:06

Field	Original Value	New Value
Summary	MariaDB privilege system does not have backlist for access control	MariaDB privilege system does not have blacklist for access control

Sergei Golubchik made changes - 2018-02-07 09:57

Summary

MariaDB privilege system does not have blacklist for access control

Blacklist for access control a.k.a. "negative grants"

Sergei Golubchik made changes - 2018-02-07 10:00

Description

Currently, MariaDB privilege system only perform whiltelist check for access control to certain database, table and column. This makes it difficult if we need to block access to certain database/table/column while allow for all others.

Currently, MariaDB privilege system only perform whiltelist check for access control to certain database, table and column. This makes it difficult if we need to block access to certain database/table/column while allow for all others.
----
A good solution would be to allow to {{REVOKE}} anything that a user is able to do — not only exactly those grants that were granted to a user, but also a suubset. Like
{code:sql}
GRANT SELECT ON some_database.* TO a_user@%;
REVOKE SELECT ON some_database.secret_table FROM a_user@%;
{code}

Sergei Golubchik made changes - 2018-02-07 10:00

Description

Currently, MariaDB privilege system only perform whiltelist check for access control to certain database, table and column. This makes it difficult if we need to block access to certain database/table/column while allow for all others.
----
A good solution would be to allow to {{REVOKE}} anything that a user is able to do — not only exactly those grants that were granted to a user, but also a suubset. Like
{code:sql}
GRANT SELECT ON some_database.* TO a_user@%;
REVOKE SELECT ON some_database.secret_table FROM a_user@%;
{code}

Currently, MariaDB privilege system only perform whiltelist check for access control to certain database, table and column. This makes it difficult if we need to block access to certain database/table/column while allow for all others.
----
A good solution would be to allow to {{REVOKE}} anything that a user is able to do — not only exactly those grants that were granted to a user, but also a subset. Like
{code:sql}
GRANT SELECT ON some_database.* TO a_user@%;
REVOKE SELECT ON some_database.secret_table FROM a_user@%;
{code}

Sergei Golubchik made changes - 2018-02-07 10:01

Labels

gsoc18

Ralf Gebhardt made changes - 2018-02-07 10:18

Link

This issue is part of PT-68 [ PT-68 ]

Ralf Gebhardt made changes - 2018-02-07 10:18

Fix Version/s

10.4 [ 22408 ]

Sergei Golubchik made changes - 2018-02-07 22:23

Description

Currently, MariaDB privilege system only perform whiltelist check for access control to certain database, table and column. This makes it difficult if we need to block access to certain database/table/column while allow for all others.
----
A good solution would be to allow to {{REVOKE}} anything that a user is able to do — not only exactly those grants that were granted to a user, but also a subset. Like
{code:sql}
GRANT SELECT ON some_database.* TO a_user@%;
REVOKE SELECT ON some_database.secret_table FROM a_user@%;
{code}

Currently, MariaDB privilege system only perform whiltelist check for access control to certain database, table and column. This makes it difficult if we need to block access to certain database/table/column while allow for all others.
---
A good solution would be to allow to {{REVOKE}} anything that a user is able to do — not only exactly those grants that were granted to a user, but also a subset. Like
{code:sql}
GRANT SELECT ON some_database.* TO a_user@%;
REVOKE SELECT ON some_database.secret_table FROM a_user@%;
{code}

Vicențiu Ciorbaru made changes - 2018-02-08 12:32

Assignee

Vicentiu Ciorbaru [ cvicentiu ]

Vicențiu Ciorbaru made changes - 2018-05-08 06:43

Status

Open [ 1 ]

In Progress [ 3 ]

Vicențiu Ciorbaru made changes - 2018-05-08 10:27

Assignee

Vicentiu Ciorbaru [ cvicentiu ]

Rutuja Surve [ rutuja ]

Sergei Golubchik made changes - 2018-05-11 17:48

Remote Link

This issue links to " Proposal for Negative Grants Project (Web Link)" [ 28500 ]

Julien Fritsch made changes - 2018-07-05 12:50

Link

This issue is part of PT-73 [ PT-73 ]

Julien Fritsch made changes - 2018-07-05 12:52

Link

This issue is part of PT-73 [ PT-73 ]

Julien Fritsch made changes - 2018-07-05 12:56

Epic Link

PT-73 [ 68549 ]

Ralf Gebhardt made changes - 2018-07-10 13:39

Priority

Major [ 3 ]

Critical [ 2 ]

Ralf Gebhardt made changes - 2018-08-23 13:07

Rank

Ranked higher

Ralf Gebhardt added a comment - 2018-11-10 20:37 - edited

cvicentiu, rutuja, Please add a rough estimate for the remaining work

Ralf Gebhardt added a comment - 2018-11-10 20:37 - edited cvicentiu , rutuja , Please add a rough estimate for the remaining work

Ralf Gebhardt made changes - 2018-11-10 20:38

Team

Server DEV

Foundation

Ralf Gebhardt made changes - 2018-11-10 20:38

Assignee

Rutuja Surve [ rutuja ]

Vicentiu Ciorbaru [ cvicentiu ]

Rutuja Surve (Inactive) made changes - 2019-01-22 05:46

Attachment

Rutuja-Reverse-Priv-Dec-18.pdf [ 47132 ]

Rutuja Surve (Inactive) added a comment - 2019-01-22 05:57

Current status:
1. User level (Global) deny works with and without an initial GRANT.
2. Database level deny works without an initial GRANT.
Attaching the detailed approach followed for the same shortly.

Rutuja Surve (Inactive) added a comment - 2019-01-22 05:57 Current status: 1. User level (Global) deny works with and without an initial GRANT. 2. Database level deny works without an initial GRANT. Attaching the detailed approach followed for the same shortly.

Rasmus Johansson (Inactive) made changes - 2019-02-25 14:48

Labels

gsoc18

gsoc18 gsoc19

Ian Gilfillan made changes - 2019-02-27 02:55

Labels

gsoc18 gsoc19

gsoc18

Vicențiu Ciorbaru made changes - 2019-05-02 12:44

Fix Version/s		10.5 [ 23123 ]
Fix Version/s	10.4 [ 22408 ]

Rutuja Surve (Inactive) added a comment - 2019-05-05 02:56

Current status of implementation:
User and database level denies work end to end.
Work in progress for table and column level deny (estimate 1 week)
Routine level deny (estimate 1 week)
Testing and review (estimate 2 weeks)

Rutuja Surve (Inactive) added a comment - 2019-05-05 02:56 Current status of implementation: User and database level denies work end to end. Work in progress for table and column level deny (estimate 1 week) Routine level deny (estimate 1 week) Testing and review (estimate 2 weeks)

Ralf Gebhardt made changes - 2019-07-31 20:00

Epic Link

PT-73 [ 68549 ]

Sergei Golubchik made changes - 2019-08-05 16:49

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Sergei Golubchik made changes - 2019-08-05 16:49

Fix Version/s

10.5 [ 23123 ]

Ben Stillman added a comment - 2020-08-25 17:40

As discussed with Max a while back, this functionality is highly desired by the SkySQL team to revoke access to system schemas.

Ben Stillman added a comment - 2020-08-25 17:40 As discussed with Max a while back, this functionality is highly desired by the SkySQL team to revoke access to system schemas.

Rupert Harwood (Inactive) made changes - 2021-02-10 17:37

Link

This issue relates to DBAAS-6361 [ DBAAS-6361 ]

Jim Parks (Inactive) added a comment - 2021-05-20 19:55

The problem I see with that is just that if you later grant some privileges
that contradict the earlier REVOKE, then what will the expected behavior
be? I like the idea of a DENY that overrides any existing or future grants.

JP

On Thu, May 20, 2021 at 7:13 AM Ralf Gebhardt (Jira) <jira@mariadb.org>

Jim Parks (Inactive) added a comment - 2021-05-20 19:55 The problem I see with that is just that if you later grant some privileges that contradict the earlier REVOKE, then what will the expected behavior be? I like the idea of a DENY that overrides any existing or future grants. JP On Thu, May 20, 2021 at 7:13 AM Ralf Gebhardt (Jira) <jira@mariadb.org>

Ralf Gebhardt made changes - 2021-10-25 11:49

Fix Version/s

10.8 [ 26121 ]

Vicențiu Ciorbaru made changes - 2021-11-05 19:32

Description

Currently, MariaDB privilege system only perform whiltelist check for access control to certain database, table and column. This makes it difficult if we need to block access to certain database/table/column while allow for all others.
---
A good solution would be to allow to {{REVOKE}} anything that a user is able to do — not only exactly those grants that were granted to a user, but also a subset. Like
{code:sql}
GRANT SELECT ON some_database.* TO a_user@%;
REVOKE SELECT ON some_database.secret_table FROM a_user@%;
{code}

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
* User has read or write access to {{mysql}} database.
* User has read or write access to corresponding {{mysql}} privilege table.
* User has some form of SUPER privilege. (SAY IGNORE DENIES)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

Sergei Golubchik made changes - 2021-11-07 18:26

Description

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
* User has read or write access to {{mysql}} database.
* User has read or write access to corresponding {{mysql}} privilege table.
* User has some form of SUPER privilege. (SAY IGNORE DENIES)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
* User has read or write access to {{mysql}} database.
* User has read or write access to corresponding {{mysql}} privilege table.
* User has some form of SUPER privilege. (say IGNORE DENIES)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

Vicențiu Ciorbaru made changes - 2021-11-08 10:00

Description

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
* User has read or write access to {{mysql}} database.
* User has read or write access to corresponding {{mysql}} privilege table.
* User has some form of SUPER privilege. (say IGNORE DENIES)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
** User has read or write access to {{mysql}} database.
** User has read or write access to corresponding {{mysql}} privilege table.
** User has some form of SUPER privilege. (say IGNORE DENIES)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

Vicențiu Ciorbaru made changes - 2021-11-09 10:13

Description

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
** User has read or write access to {{mysql}} database.
** User has read or write access to corresponding {{mysql}} privilege table.
** User has some form of SUPER privilege. (say IGNORE DENIES)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
** User has read or write access to {{mysql}} database.
** -User has read or write access to corresponding {{mysql}} privilege table.- (TODO for as a separate MDEV for SHOW GRANTS)
** User has some form of SUPER privilege. (say IGNORE DENIES)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

Vicențiu Ciorbaru made changes - 2021-11-09 14:27

Description

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
** User has read or write access to {{mysql}} database.
** -User has read or write access to corresponding {{mysql}} privilege table.- (TODO for as a separate MDEV for SHOW GRANTS)
** User has some form of SUPER privilege. (say IGNORE DENIES)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
** User has read or write access to {{mysql}} database.
** -User has read or write access to corresponding {{mysql}} privilege table.- (TODO for as a separate MDEV for SHOW GRANTS)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES
# Introduce a form of SUPER privilege, say IGNORE_DENIES, to allow a "superuser" to ignore denies.

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

Sergei Golubchik made changes - 2021-11-09 17:50

Description

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
** User has read or write access to {{mysql}} database.
** -User has read or write access to corresponding {{mysql}} privilege table.- (TODO for as a separate MDEV for SHOW GRANTS)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES
# Introduce a form of SUPER privilege, say IGNORE_DENIES, to allow a "superuser" to ignore denies.

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
** User has read or write access to {{mysql}} database.
** -User has read or write access to corresponding {{mysql}} privilege table.- (TODO for as a separate MDEV for SHOW GRANTS)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES
# Introduce a form of SUPER privilege, say IGNORE_DENIES, to allow a "superuser" to ignore denies (this is compatible with SQL Server DENY behavior)

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

Manjot Singh (Inactive) made changes - 2021-11-10 16:38

Link

This issue relates to MENT-593 [ MENT-593 ]

Manjot Singh (Inactive) added a comment - 2021-11-10 16:42

If there is a DENY on mysql.* for a user and they try to run:

mysql < mydump.sql

the full dump should load but avoid the mysql.* tables (or have only warnings related).

Manjot Singh (Inactive) added a comment - 2021-11-10 16:42 If there is a DENY on mysql.* for a user and they try to run: mysql < mydump.sql the full dump should load but avoid the mysql.* tables (or have only warnings related).

Manjot Singh (Inactive) added a comment - 2021-11-10 16:43

if there is a DENY on mysql.* .. GRANT and related syntax should still be allowed

Manjot Singh (Inactive) added a comment - 2021-11-10 16:43 if there is a DENY on mysql.* .. GRANT and related syntax should still be allowed

Vicențiu Ciorbaru made changes - 2021-11-22 13:30

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Vicențiu Ciorbaru added a comment - 2021-11-22 13:46

manjot DENY cancels out privileges.

For example if a user could create a user with CREATE USER privilege, but otherwise didn't have INSERT/UPDATE rights on mysql.* database, then the same would be true if the user had DENY INSERT UPDATE on mysql.*.

I assume this is in line with your statements, correct?

Vicențiu Ciorbaru added a comment - 2021-11-22 13:46 manjot DENY cancels out privileges. For example if a user could create a user with CREATE USER privilege, but otherwise didn't have INSERT/UPDATE rights on mysql.* database, then the same would be true if the user had DENY INSERT UPDATE on mysql.* . I assume this is in line with your statements, correct?

Sergei Golubchik made changes - 2021-12-06 21:22

Workflow

MariaDB v3 [ 83893 ]

MariaDB v4 [ 131822 ]

Ralf Gebhardt made changes - 2021-12-22 15:04

Fix Version/s		10.9 [ 26905 ]
Fix Version/s	10.8 [ 26121 ]

Ralf Gebhardt made changes - 2021-12-22 17:10

Link

This issue relates to MENT-1352 [ MENT-1352 ]

Vicențiu Ciorbaru added a comment - 2021-12-23 09:24

A current status update on the feature:

In order to facilitate the feature, I have done the following cleanups:

Move check_xxx_access functions to sql_acl.cc.
Uniform privilege modification functions for mysql.user and the newer mysql.global_priv table. This is to facilitate writing denies into mysql.global_priv table.
Optimize Sql_cmd_grant class, to use composition instead of inheritance. This also had the added benefit of reducing memory usage for Grant commands, avoiding an extra copy in LEX structure.
Clean up the sql_acl.h exposed API. Many of the functions are now behind Sql_cmd_grant::execute calls.
Remove code duplication by converting double acl_get calls checking for user and role privileges into a single function. This will facilitate DENY checks as well.
Introduce a Priv_spec class that defines a delta of privileges. This is used uniformly by replace_xxxx_table functions to apply privilege deltas. This facilitates DENY and /REVOKE DENY grants.
Split mysql_grant function into separate components. This facilitates individual DENY level grants (Global, Database, Proxy) This has the added benefit of only locking the modified privilege tables when doing a grant update.
Cache get_current_user results in Sql_cmd_grant, before calling mysql_grant_xxx functions. This simplifies a lot of the mysql_grant_xxx functions.
Refactor test_if_create_new_users, similar to get_current_user caching. This will facilitate hooking up denies too.
Extend gramar in sql_yacc.yy to cover DENY clause.

Code to read DENY specification from mysql.global_priv table. The JSON format at this point is:

        "global": int

        "db": [

            "name": str

            "access": int

},

        "table": [

            "name": str

            "access": int

},

The format will be extended to cover finer level denies (table columns) too.

JSON reader class, used to parse the DENY json and create in-memory HASH tables for all deny entries - per user.
Extend mysql_show_grants to also output denies.
Wrote test cases to cover currently implemented functionality, as well as tests that currently fail (because denies are not properly enforced). Using effectively test driven development to ensure all code paths are covered.

TODO items:

Adjust privilege check call sites to do proper deny evaluation. Ideally, create a uniform API that abstracts away both user and role current grants and denies.
Extend information schema tables to present user denies.
Create a new privilege (IGNORE_DENIES) to allow a user to bypass denies.
Extend mysql_show_grants to output grants for users who have denies, but do not have the rights to see those denies. This requires a dedicated algorithm to generate the equivalent set of rights that are available.
Extend test coverage.
Code documentation - both within source as well as in the KB.

Vicențiu Ciorbaru added a comment - 2021-12-23 09:24 A current status update on the feature: In order to facilitate the feature, I have done the following cleanups: Move check_xxx_access functions to sql_acl.cc. Uniform privilege modification functions for mysql.user and the newer mysql.global_priv table. This is to facilitate writing denies into mysql.global_priv table. Optimize Sql_cmd_grant class, to use composition instead of inheritance. This also had the added benefit of reducing memory usage for Grant commands, avoiding an extra copy in LEX structure. Clean up the sql_acl.h exposed API. Many of the functions are now behind Sql_cmd_grant::execute calls. Remove code duplication by converting double acl_get calls checking for user and role privileges into a single function. This will facilitate DENY checks as well. Introduce a Priv_spec class that defines a delta of privileges. This is used uniformly by replace_xxxx_table functions to apply privilege deltas. This facilitates DENY and /REVOKE DENY grants. Split mysql_grant function into separate components. This facilitates individual DENY level grants (Global, Database, Proxy) This has the added benefit of only locking the modified privilege tables when doing a grant update. Cache get_current_user results in Sql_cmd_grant, before calling mysql_grant_xxx functions. This simplifies a lot of the mysql_grant_xxx functions. Refactor test_if_create_new_users , similar to get_current_user caching. This will facilitate hooking up denies too. Extend gramar in sql_yacc.yy to cover DENY clause. Code to read DENY specification from mysql.global_priv table. The JSON format at this point is: { "global": int "db": [ { "name": str "access": int }, ] "table": [ { "name": str "access": int }, ] } The format will be extended to cover finer level denies (table columns) too. JSON reader class, used to parse the DENY json and create in-memory HASH tables for all deny entries - per user. Extend mysql_show_grants to also output denies. Wrote test cases to cover currently implemented functionality, as well as tests that currently fail (because denies are not properly enforced). Using effectively test driven development to ensure all code paths are covered. TODO items: Adjust privilege check call sites to do proper deny evaluation. Ideally, create a uniform API that abstracts away both user and role current grants and denies. Extend information schema tables to present user denies. Create a new privilege (IGNORE_DENIES) to allow a user to bypass denies. Extend mysql_show_grants to output grants for users who have denies, but do not have the rights to see those denies. This requires a dedicated algorithm to generate the equivalent set of rights that are available. Extend test coverage. Code documentation - both within source as well as in the KB.

Isaac Venn (Inactive) made changes - 2022-01-12 22:33

Link

This issue relates to XPT-194 [ XPT-194 ]

Vicențiu Ciorbaru made changes - 2022-01-31 07:47

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Vicențiu Ciorbaru made changes - 2022-02-15 08:33

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Ralf Gebhardt made changes - 2022-03-16 17:31

Fix Version/s		10.10 [ 27530 ]
Fix Version/s	10.9 [ 26905 ]

Manjot Singh (Inactive) made changes - 2022-04-01 16:20

Link

This issue blocks DBAAS-6361 [ DBAAS-6361 ]

Manjot Singh (Inactive) made changes - 2022-04-01 16:20

Link

This issue relates to DBAAS-6361 [ DBAAS-6361 ]

Manjot Singh (Inactive) made changes - 2022-04-21 19:11

Link

This issue causes DBAAS-9687 [ DBAAS-9687 ]

Ralf Gebhardt made changes - 2022-05-11 16:23

Link

This issue blocks MENT-1348 [ MENT-1348 ]

Vicențiu Ciorbaru made changes - 2022-05-31 05:12

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Ralf Gebhardt made changes - 2022-06-22 14:16

Fix Version/s		10.11 [ 27614 ]
Fix Version/s	10.10 [ 27530 ]

Christine Lieu (Inactive) added a comment - 2022-06-22 21:59

cvicentiu the Xpand team is going to start implementing this feature as well. Is there a build that we could use to compare notes?

Christine Lieu (Inactive) added a comment - 2022-06-22 21:59 cvicentiu the Xpand team is going to start implementing this feature as well. Is there a build that we could use to compare notes?

AirFocus made changes - 2022-08-09 16:11

Description

h2. Summary:
Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:
{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret_table.

h2. Syntax:
{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases
https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS \[FOR\]}} if:
** User has read or write access to {{mysql}} database.
** -User has read or write access to corresponding {{mysql}} privilege table.- (TODO for as a separate MDEV for SHOW GRANTS)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES
# Introduce a form of SUPER privilege, say IGNORE_DENIES, to allow a "superuser" to ignore denies (this is compatible with SQL Server DENY behavior)

h4. Compatiblity with other databases (Potential future work)
*SQL Server*
* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*
* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} -> REVOKE also works as DENY.

h3. Implementation details:
* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):
# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

h2. Summary:

Implement a way to ensure that a user can not get access to a particular resource.
DENY will function as a separate set of rules for access control. If any resource (global, database, table, column, procedure, function, etc.) has a deny on one particular privilege, it is impossible to gain that privilege unless the DENY is revoked.

For example:

{code:sql}
GRANT SELECT on *.* to alice;
DENY SELECT on db.secret_table to alice;
{code}

{{alice}} will not be able to select from secret\_table.

h2. Syntax:

{code:sql}
DENY <privilege-list> ON <object-list> TO <user-or-role>

REVOKE DENY <privilege-list> ON <object-list> FROM <user-or-role>
{code}

h3. User cases

https://stackoverflow.com/questions/6288554/mysql-grant-all-privileges-to-database-except-one-table (32k views)
https://dba.stackexchange.com/questions/98949/grant-select-on-all-databases-except-one\-mysql (18k views)
https://dba.stackexchange.com/questions/68957/block-user-access-to-certain\-tables (13k views)

h3. Details:

# Users should not be able to see that a DENY is assigned to them. Similar to how databases that the user can not access are not visible in {{show databases}}.
# DENY works on roles (as well as PUBLIC when it is implemented)
# Enabling a role activates that role's denies as well.
# Denies will be visible in {{SHOW GRANTS [FOR]}} if:
** User has read or write access to {{mysql}} database.
** -User has read or write access to corresponding {{mysql}} privilege table.- (TODO for as a separate MDEV for SHOW GRANTS)
# (?) Methods of querying denies: INFORMATION_SCHEMA.USER_PRIVILEGES
# Introduce a form of SUPER privilege, say IGNORE\_DENIES, to allow a "superuser" to ignore denies (this is compatible with SQL Server DENY behavior)

h4. Compatiblity with other databases (Potential future work)

*SQL Server*

* Compared to SQL Server, DENY can only be revoked via REVOKE DENY. Future possibility for SQL Server compatibility (via {{SQL_MODE=MSSQL}}) GRANT can also cancel a DENY.
* An SQL Server quirk is that column level denies take precedence over table level denies. This is a deprecated functionality of SQL Server, meant for backwards compatibility.

*MySQL*

* MySQL treats revokes as "holes" that are filled when the privilege is granted (directly or via a a higher level grant). Deny will remain in effect in our implementation.
* To allow MySQL compatibility, a possible extension in the future is: {{@@partial_revokes=1}} \-> REVOKE also works as DENY.

h3. Implementation details:

* Current privilege checking order first checks global, database, table, column privileges (in this order). If at any point the needed privileges are met, the privilege checking code stops execution. Introducing denies will require an additional lookup, one for each individual resource accessed. Some form of quick lookup must be made to answer:
** Does this user have denies for databases? (if global privileges met all required access bits).
** Does this user have denies for tables in a particular database (if database level privileges met all required access bits).
** Does this user have denies on table columns for a particular table (if table level privileges met all required access bits).
* (?) Should denies be stored in global_priv only, or should corresponding mysql.db, mysql.table_priv, etc. tables also have a "DENY" column?

h3. Milestones (each milestone includes test cases showcasing functionality):

# Grammar
# Global denies
# Database denies
# Table level denies
# Column level denies
# Stored procedure denies
# Information schema tables

Ralf Gebhardt made changes - 2022-08-24 08:31

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Vicențiu Ciorbaru made changes - 2022-09-03 12:34

Link

This issue is blocked by ~~MDEV-29458~~ [ ~~MDEV-29458~~ ]

Vicențiu Ciorbaru made changes - 2022-09-05 11:20

Link

This issue is blocked by ~~MDEV-29465~~ [ ~~MDEV-29465~~ ]

Vicențiu Ciorbaru added a comment - 2022-09-07 05:16

Hi Sergei!

Once you are done with reviewing ~~MDEV-29458~~ & ~~MDEV-29465~~, please start looking at the code here:

https://github.com/MariaDB/server/pull/2258

Things currently not completely operational:
1. SHOW GRANTS currently only shows up-to database level denies.
2. Wildcard DB denies.

I'm looking for general input on architecture changes as well as functionality. I expect that by the time you get to the end of the commit tree that the missing items will also be present.

Vicențiu Ciorbaru added a comment - 2022-09-07 05:16 Hi Sergei! Once you are done with reviewing MDEV-29458 & MDEV-29465 , please start looking at the code here: https://github.com/MariaDB/server/pull/2258 Things currently not completely operational: 1. SHOW GRANTS currently only shows up-to database level denies. 2. Wildcard DB denies. I'm looking for general input on architecture changes as well as functionality. I expect that by the time you get to the end of the commit tree that the missing items will also be present.

Vicențiu Ciorbaru made changes - 2022-09-07 05:16

Assignee	Vicențiu Ciorbaru [ cvicentiu ]	Sergei Golubchik [ serg ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Sergei Golubchik made changes - 2022-09-11 12:55

Link

This issue is blocked by ~~MDEV-29509~~ [ ~~MDEV-29509~~ ]

Ralf Gebhardt made changes - 2022-09-20 17:29

Fix Version/s		10.12 [ 28320 ]
Fix Version/s	10.11 [ 27614 ]

Christine Lieu (Inactive) made changes - 2022-09-21 17:34

Summary

Blacklist for access control a.k.a. "negative grants"

DENY list for access control a.k.a. "negative grants"

Ralf Gebhardt made changes - 2022-09-29 02:15

Summary

DENY list for access control a.k.a. "negative grants"

DENY clause for access control a.k.a. "negative grants"

Todor Todorov (Inactive) made changes - 2022-10-28 10:07

Link

This issue blocks DBAAS-11448 [ DBAAS-11448 ]

Bryan Bancroft (Inactive) made changes - 2022-11-02 16:15

Link

This issue blocks DBAAS-11359 [ DBAAS-11359 ]

Sergei Golubchik made changes - 2022-11-06 20:22

Link

This issue is duplicated by MENT-1655 [ MENT-1655 ]

Julien Fritsch made changes - 2022-12-28 12:53

Fix Version/s		11.1 [ 28549 ]
Fix Version/s	11.0 [ 28320 ]

Oleksandr Byelkin made changes - 2023-02-09 10:17

Assignee

Sergei Golubchik [ serg ]

Oleksandr Byelkin [ sanja ]

Oleksandr Byelkin made changes - 2023-04-05 08:17

Assignee

Oleksandr Byelkin [ sanja ]

Vicențiu Ciorbaru [ cvicentiu ]

Ralf Gebhardt made changes - 2023-04-13 14:40

Fix Version/s		11.2 [ 28603 ]
Fix Version/s	11.1 [ 28549 ]

Vicențiu Ciorbaru made changes - 2023-04-18 04:13

Status

In Review [ 10002 ]

Stalled [ 10000 ]

Vicențiu Ciorbaru made changes - 2023-04-18 04:13

Status

Stalled [ 10000 ]

In Progress [ 3 ]

Vicențiu Ciorbaru added a comment - 2023-06-14 11:02

One status update on this:

I've rebased on top of 11.2.

As discussed with Sergei Golubchik, I've implemented the separation of denies between users and roles. The implementation still requires testing and I am uncovering edge cases, bugs and an occasional crash. I expect around a week worth of work to stabilize this, then it should be ready for one final review.

Vicențiu Ciorbaru added a comment - 2023-06-14 11:02 One status update on this: I've rebased on top of 11.2. As discussed with Sergei Golubchik, I've implemented the separation of denies between users and roles. The implementation still requires testing and I am uncovering edge cases, bugs and an occasional crash. I expect around a week worth of work to stabilize this, then it should be ready for one final review.

Ralf Gebhardt made changes - 2023-07-25 20:05

Fix Version/s		11.3 [ 28565 ]
Fix Version/s	11.2 [ 28603 ]

Sergei Golubchik made changes - 2023-09-17 18:03

Fix Version/s		11.4 [ 29301 ]
Fix Version/s	11.3 [ 28565 ]

Julien Fritsch made changes - 2023-11-30 14:12

Assignee

Vicențiu Ciorbaru [ cvicentiu ]

Julien Fritsch [ julien.fritsch ]

Julien Fritsch made changes - 2023-11-30 14:12

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Julien Fritsch made changes - 2023-11-30 14:12

Assignee

Julien Fritsch [ julien.fritsch ]

Vicențiu Ciorbaru [ cvicentiu ]

Julien Fritsch made changes - 2023-11-30 16:30

Issue Type

Task [ 3 ]

New Feature [ 2 ]

Sergei Golubchik made changes - 2023-12-22 17:46

Fix Version/s		11.5 [ 29506 ]
Fix Version/s	11.4 [ 29301 ]

Ralf Gebhardt made changes - 2024-02-27 13:37

Fix Version/s		11.6 [ 29515 ]
Fix Version/s	11.5 [ 29506 ]

Sergei Golubchik made changes - 2024-06-04 15:39

Fix Version/s		11.7 [ 29815 ]
Fix Version/s	11.6 [ 29515 ]

AirFocus made changes - 2024-06-25 16:08

Labels

gsoc18

gsoc18 triage

Jira Automation (IT) made changes - 2024-07-04 08:10

Zendesk Related Tickets

120370 202301

Sergei Golubchik made changes - 2024-08-27 14:18

Fix Version/s		11.8 [ 29921 ]
Fix Version/s	11.7 [ 29815 ]

Ralf Gebhardt made changes - 2024-10-24 16:00

Assignee

Vicențiu Ciorbaru [ cvicentiu ]

Ralf Gebhardt made changes - 2024-10-24 16:00

Fix Version/s		11.9 [ 29945 ]
Fix Version/s	11.8 [ 29921 ]

Julien Fritsch made changes - 2025-01-24 11:41

Assignee

Vicențiu Ciorbaru [ cvicentiu ]

Sergei Golubchik made changes - 2025-01-24 12:52

Assignee

Vicențiu Ciorbaru [ cvicentiu ]

Ralf Gebhardt made changes - 2025-01-28 08:57

Link

This issue blocks MENT-1348 [ MENT-1348 ]

Sergei Golubchik made changes - 2025-01-28 13:38

Assignee

Alexander Barkov [ bar ]

Oleksandr Byelkin made changes - 2025-02-20 10:49

Assignee

Alexander Barkov [ bar ]

Vladislav Vaintroub [ wlad ]

Julien Fritsch added a comment - 2025-02-24 12:06

Per this announcement in the Slack triage channel: https://mariadb.slack.com/archives/C05S0ANJ8BE/p1739890335402039, we will now only use the "triage" label to indicate an ongoing customer-engineering escalation. Also, I will remove it, and if it's still needed, let me know.

Julien Fritsch added a comment - 2025-02-24 12:06 Per this announcement in the Slack triage channel: https://mariadb.slack.com/archives/C05S0ANJ8BE/p1739890335402039 , we will now only use the "triage" label to indicate an ongoing customer-engineering escalation. Also, I will remove it, and if it's still needed, let me know.

Julien Fritsch made changes - 2025-02-24 12:06

Labels

gsoc18 triage

gsoc18

Sergei Golubchik made changes - 2025-03-18 15:44

Fix Version/s		12.1 [ 29992 ]
Fix Version/s	12.0 [ 29945 ]

Christian Roser added a comment - 3 days ago

After talking to Vicențiu we came to the conclusion that for our usecase DENY on database level would be sufficient and relatively easy to implement. We mainly want to prevent users with global privileges from accessing mysql schema.
Is there a chance to get a DENY feature with limited scope implemented earlier than in 12.1?

regards
Christian

Christian Roser added a comment - 3 days ago After talking to Vicențiu we came to the conclusion that for our usecase DENY on database level would be sufficient and relatively easy to implement. We mainly want to prevent users with global privileges from accessing mysql schema. Is there a chance to get a DENY feature with limited scope implemented earlier than in 12.1? regards Christian

MariaDB Server

DENY clause for access control a.k.a. "negative grants"

Details

Description

Summary:

Syntax:

User cases

Details:

Compatiblity with other databases (Potential future work)

Implementation details:

Milestones (each milestone includes test cases showcasing functionality):

Attachments

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates

Git Integration